Skip to content
Pillar 9

Standards landscape

The established standards that govern counterfeit-part avoidance, testing, and distribution, what each covers, and where CILM sits in relation to them — as a methodology that references these standards, not as a standard, a certification authority, or a conformity attestation.

Counterfeit-part risk is not a new problem, and the response to it is not a blank page. A body of established standards already governs how organizations avoid, detect, and dispose of suspect and counterfeit electronic components, how laboratories test them, and how distributors control them. The documents discussed here address different parts of that problem rather than competing solutions. CILM does not replace any of these standards; it references them and organizes lot-level evidence and decisions within the scope those standards define, rather than positioning itself as a competitor to them.

This page sets out what the principal standards cover, using their current published revisions, and then states plainly where CILM sits and — with equal weight — what CILM is not.

What the standards cover

The standards divide along the supply chain, each addressing a different actor or activity.

SAE AS5553E applies to organizations that purchase and integrate EEE parts. It sets requirements for a counterfeit-avoidance system covering avoidance, detection, mitigation, and disposition. It is the standard aimed at the integrator — the organization that designs and builds products using components procured from the supply chain.

SAE AS6171A is the test-methods standard. It standardizes inspection and test methods and their general execution requirements for detecting suspect or counterfeit EEE parts. It does not, on its own, turn an individual test result into an unrestricted guarantee of authenticity: any result remains bounded by the methods, samples, coverage, and evidence applied — a boundary that CILM treats as central, and which is the author’s methodological reading rather than a claim of the standard.

SAE AS6081A, revised in 2023, addresses independent distribution and open-market procurement, where provenance is often less complete or more difficult to establish. It sets avoidance, detection, mitigation, and disposition requirements for that channel, and it directs the procuring organization to define its inspection and test regime according to risk.

SAE AS6496A, revised in December 2024, addresses the authorized distribution channel, where a distributor’s relationship with the original manufacturer generally provides a stronger initial evidentiary position, though lot-level evidence may still require independent evaluation. It sets requirements to mitigate counterfeit-part risk in that channel.

NIST SP 800-161 Rev. 1 operates at a different level. It is an organizational framework for cybersecurity supply-chain risk management — governance, policy, planning, and risk assessment across an enterprise — not a test or purchasing standard for individual components. It is relevant to CILM as a governance environment into which lot-level evidence and decision records can be incorporated, not as an anti-counterfeit component standard. NIST does not offer third-party certification against the publication.

ISO/IEC 20243-1:2023, the Open Trusted Technology Provider Standard (O-TTPS), addresses the integrity of commercial-off-the-shelf ICT products across their lifecycle, covering both maliciously tainted and counterfeit products. Its scope is adjacent to component-level counterfeit avoidance, but it is broader and differently framed, and it is not a direct equivalent of AS5553E or AS6171A for individual EEE parts.

Where CILM sits

CILM is an evidence-orchestration and implementation layer — a decision-support methodology that provides an implementation framework for lot-level evidence management. Its outputs remain compatible with organizational processes defined by these standards, but the methodology does not determine whether an organization conforms to them. It does not define test methods, set purchasing requirements, or govern a distribution channel — the standards above already do that. What CILM adds is a structured way to organize lot-level evidence positions, verification decisions, and auditable decision records for a specific procurement lot: to assemble the evidence available, to decide how deeply that lot should be verified, and to record the resulting decision so that it can be audited later. Where such standards are adopted, CILM organizes that evidence and those decisions within their respective scopes; it may also be applied independently in organizations that do not formally operate under those standards.

The relationship can be set out level by level.

LevelStandardWhat the standard setsWhere CILM sits relative to it
Purchaser / integratorAS5553ECounterfeit-avoidance requirements for organizations buying and integrating EEE partsStructures evidence intake, lot-level risk routing, and the decision record
Test and inspectionAS6171AMethods and requirements for detecting suspect or counterfeit partsSelects the required verification depth and records the qualified result as a Lab Evidence Event
Independent distributionAS6081ACounterfeit-risk controls for open-market distributionUses channel status and channel evidence as inputs; does not certify a distributor
Authorized distributionAS6496ACounterfeit-risk controls for the authorized channelTreats authorized sourcing as one evidence input within the lot-level evidence position rather than a conclusive lot-level determination
Enterprise C-SCRMNIST SP 800-161 Rev. 1Governance, policy, planning, and risk assessmentSupplies lot-level evidence and auditable decisions into a wider risk-management program
COTS ICT integrityISO/IEC 20243-1:2023Organizational practices against tainted and counterfeit ICT productsAdjacent framework; no direct conformity claimed without a formal crosswalk

What CILM is not

CILM is not a standard. It is not an official, industry, or international standard, and it does not seek that status. It is not a certification authority: it does not audit organizations, grant conformity, or issue certificates against AS5553E, AS6171A, AS6081A, AS6496A, ISO/IEC 20243-1:2023, or any other document. Certification or conformity assessment against those standards is performed by accredited bodies, not by a methodology.

CILM does not claim compliance, conformity, approval, or endorsement by SAE, NIST, ISO, or IEC. Where this page names a standard, it does so to describe what already exists and to locate CILM relative to it, not to assert a relationship of approval. An organization operating under any of these standards can use CILM to organize the evidence and decisions its own compliance program requires — but conformity remains the responsibility of the organization and its applicable conformity-assessment process, not of CILM.

A note on the source documents

The SAE and ISO/IEC standards referenced here are copyrighted and, in most cases, available only by purchase from their publishers. This page describes their scope in general terms and links to the official publisher pages; it does not reproduce their text. The NIST publication is issued by a US government agency and is available without charge. Designations and revisions on this page reflect the current published versions at the date shown; standards are revised periodically, and readers should confirm the current revision against the publisher’s catalogue before relying on it.

[DIAGRAM: a layered relationship map, not a hierarchy. A central vertical band labelled “CILM — evidence orchestration and implementation layer” runs down the middle. To its left, a stack of standard-defined domains feeds in as references: “Purchaser / integrator — AS5553E”, “Test and inspection — AS6171A”, “Independent distribution — AS6081A”, “Authorized distribution — AS6496A”, “Enterprise C-SCRM — NIST SP 800-161 Rev. 1”, “COTS ICT integrity — ISO/IEC 20243-1:2023”. To its right, the operational systems CILM connects to as sources and consumers are shown: “Laboratories (verification evidence)”, “Component-intelligence / incident databases”, and “ERP / QMS / PLM”. Below them, two CILM outputs are shown distinctly: “Digital Component Passport (evidence container)” and “Auditable Decision Record (disposition and its evidence)”. Arrows run from the standards into CILM as normative references, between CILM and the connected systems as evidence and decision flows, and from CILM to its two outputs, which are shown as products of CILM rather than external systems. A caption reads: CILM references the standards and connects the systems; it does not replace, certify, or supersede any of them. Author-developed.]

Information gain

A leveled map of the counterfeit-avoidance standards landscape — purchaser and integrator, test and inspection, independent and authorized distribution, enterprise cybersecurity supply-chain risk, and COTS ICT integrity — with each document placed against the specific scope it governs and the specific, bounded role the methodology plays relative to it, using the current published revisions verified against the publishers.

Author contribution

The placement of CILM as an evidence-orchestration and implementation layer and decision-support methodology relative to established standards, organizing lot-level evidence positions, verification decisions, and auditable decision records within their respective scopes while explicitly disclaiming certification, conformity, approval, or endorsement by SAE, NIST, ISO, or IEC, as developed in the methodology by the author.

Claims and sources

  • SAE AS5553E sets anti-counterfeit requirements for organizations that purchase and integrate electrical, electronic, and electromechanical (EEE) parts, covering avoidance, detection, mitigation, and disposition of counterfeit parts.

    Verified Source: SAE International
  • SAE AS6171A standardizes inspection and test methods and general requirements used to detect suspect or counterfeit EEE parts.

    Verified Source: SAE International
  • SAE AS6081A, revised in 2023, sets anti-counterfeit avoidance, detection, mitigation, and disposition requirements for independent distribution and open-market procurement of EEE parts.

    Verified Source: SAE International
  • SAE AS6496A, revised in December 2024, sets requirements to mitigate the risk of counterfeit EEE parts in the authorized distribution channel.

    Verified Source: SAE International
  • NIST SP 800-161 Rev. 1 provides an organizational framework for cybersecurity supply-chain risk management (C-SCRM), and NIST states that it does not offer third-party certification against the publication.

  • ISO/IEC 20243-1:2023 (O-TTPS, Part 1) sets requirements and recommendations for mitigating maliciously tainted and counterfeit commercial-off-the-shelf (COTS) ICT products across the product lifecycle.

    Verified Source: ISO

FAQ

Is CILM a standard?

No. CILM is an independent methodology. It references established standards and organizes evidence and decisions around their scopes, but it is not a standards body, a certification authority, or an official standard, and it does not confer any status recognized by SAE, NIST, ISO, or IEC.

Does CILM certify or assess conformity to AS6171A or AS5553E?

No. CILM does not certify or assess conformity to any standard. It helps an organization assemble lot-level evidence, select a verification depth, and produce an auditable decision record that the organization can use within its own compliance program. Certification or conformity assessment against a standard is performed by accredited bodies or the organization's applicable conformity-assessment process, not by CILM.

How does CILM relate to AS6171A?

AS6171A defines the inspection and test methods used to detect suspect or counterfeit parts. CILM does not perform those methods; it selects the required verification depth for a lot and records a qualified result as one qualified Lab Evidence Event within the overall evidence chain. The relationship is described under lot-level verification and detection methods and their limits.

Where does NIST SP 800-161 fit?

NIST SP 800-161 Rev. 1 is a broad cybersecurity supply-chain risk-management framework for organizations, not a test or purchasing standard for individual electronic components. CILM can contribute lot-level evidence and decision records within such a governance environment, but it does not claim NIST compliance or endorsement, and NIST does not offer certification against the publication.

Is ISO/IEC 20243 the same kind of standard as AS5553E?

No. ISO/IEC 20243-1:2023 addresses organizational practices for protecting the integrity of commercial-off-the-shelf ICT products across their lifecycle, including maliciously tainted and counterfeit products. Its scope is adjacent to, but broader and differently framed from, lot-level verification of individual electronic components.

Does referencing these standards mean CILM is approved by them?

No. Referencing a standard is not approval, endorsement, or conformity. The standards are cited to explain what already exists and to locate CILM relative to it. No endorsement, approval, sponsorship, affiliation, or conformity is claimed or implied.

References